16 November 2023
LuxCal version 5.2.4 is now available (security release).
Upgrading to LuxCal 5.2.4
LuxCal 5.2.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply LuxCal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing LuxCal install to test the 5.2.4 upgrade prior to applying it live. Get started managing your LuxCal installations with Installatron
What's New in LuxCal 5.2.4
• A cross-site scripting / SQL injection vulnerability reported by JPCERT/CC has been solved. [VN: JVN#15005948 / TN: JPCERT#97783326]. Now all calendar input data, i.e. GET, POST and COOKIE variables, are sanitized and the variables with a fixed-format are validated at the start of the code.
New Features and Improvements
• In the side menu an option "About LuxCal" has been added, which is available for users with administrator rights. When this option is selected, an About LuxCal overlay is shown with the current calendar version and a message if a newer version is available at the LuxSoft website with download links. In addition, if important information is available, LuxSoft can add note or warning texts to this overlay. Calendar administrators are advised to select this menu option from time to time.
• The email regex ($rxEML) has been improved. In special cases, when the event description contained a URL link, which included a @-sign, the regex to create email links didn't work. This resulted in an empty description field.
• In the post-processing of the upgrade function, when searching for old "sml" email links, the offset in strpos function has been removed. PHP 8.1 didn't like offsets outside the haystack.
• On the page Event File Import - iCal format the "Check all Ignore boxes" button has been changed into a "Toggle all Ignore boxes" button.
• Code simplification. The label-tags can be put "around" the item concerned, rather than using <label for='<id>', which makes most ids redundant and the code simpler.
• Code simplification. When using the scandir function, filtering of files is now done by a PHP preg_grep function.
• Code simplification. The long array definition notation (array()) has been replaced by the short notation ().
• Code simplification. In the calendar <head> section "onpageshow" has been combined with "onload".
• For events in a category with "to be approved" set, the "approved" check box and label in the Event window have moved inside the color of the page body.
• If on the settings page for the Event date format a separator, other than '-' had been specified, then in reminder emails, the back-link to the calendar below the email message, did not work. This is because the date 'nD' is used in DD format (with the user-defined separator). The GET-parameter validation function however, requires a '-' separator. Validation regex updated.
• In the makeE function, under case 6, there was a break; after each line (nom and nos). There should however be just one break; after both lines.
• An error in the regex to extract an email address from the event's description field and produce the mailto-link, resulted in a mailto link which didn't work and could, when editing the event, not be converted back to the originally entered email address.
• To avoid SQL errors during the upgrade process, in the pre-processing section of the upgrade function the DB fields notRecip and notMail (< V4.5) have been added to the list of possible NULL fields that must be set to NO NULL.